ITSD Computing and Communications Services News
February , 2005

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
 

Monthly Virus Update: More than 75,000 Worms and Viruses Stopped Cold

The Lab's virus wall continues to guard Lab systems against worm and virus infections. Last month it detected and eradicated 75,420 worms and viruses, almost all of which target Windows systems. In contrast, the number in January was 108,627. For the ninth consecutive month, the Windows-targeting Netsky.P worm was most common, with 40,406 copies identified and eradicated—this is down slightly from 42,992 the previous month.

The Windows-targeting Netsky.D worm came in second place with 5,049 instances detected and deleted (as opposed to 5,103 last month). Netsky.D sets up a mail engine that sends messages with subjects such as "Re: Thanks," "Re: Hi," "Re: Your website," "Re: Your Word file," and "Hello." Examples of message bodies include: "Here is your file," "Your file is attached," "Your document is attached," and "Please have a look at the attached file." The sender's address is always spoofed; it is based on entries found in address books in systems that Netsky.D has infected. Each attachment has a .pif file extension. Netsky.D also changes the Registry and makes other changes (such as setting up a mail engine) in victim systems.

The Beagle.W (also called Bagle.Z) worm came in third place with 3,952 copies caught and eradicated. Beagle.W attempts to trick recipients with messages with infected attachments by using false senders' names. Messages generated by Beagle.W contain subjects such as: "I like you, Hello!" "I'm a sad girl," "Re. Thank you!," and "Re. Yahoo!." Each message contains two parts, the first of which begins with "Hi," "Hey," "Hello," or "Dear" and also includes two attachments, the first of which is a .JPEG picture of a young woman and the second of which is a copy of the worm code. Beagle.W halts processes that are running, changes the Registry, initiates connections to certain Web sites, installs a back door program that enables attackers to gain remote access to any victim system, and installs a mail engine that sends a plethora of messages containing copies of the worm code.

Bagle.AX and Bagle.AY are two of the latest versions of the Bagle (also called "Beagle") worm. These worms have achieved notoriety in that they are the 50th and 51st versions of the original Bagle worm that first appeared in January 2004. Users inadvertantly launch these worms and infect their systems by opening an infected attachment in an email message or a shared folder on a peer-to-peer network accessed via KaZaA, Gnutella, or another such program. Once these worms infect a system, they modify the Registry of the system and their code is executed whenever the system starts. They also glean email addresses from each infected system and then mail copies of themselves to these addresses, spoofing the sender address in messages that they send.

Please note that the use of peer-to-peer networking at the Lab for reasons other than job-related purposes (e.g., scientific data exchange) is not allowed.